Massive Cyberattack Exploits Magento Vulnerability, Compromising Over 200 E-Commerce Sites
In a significant cybersecurity incident, over 200 Magento-based e-commerce websites have been compromised by attackers exploiting a critical vulnerability known as CVE-2025-54236, or SessionReaper. This flaw allows unauthorized access through the reuse of session tokens that were not properly invalidated by the Magento application. These tokens, akin to digital keys verifying user identity, can be intercepted and replayed by attackers to gain administrative access, effectively bypassing all password protections and security measures.
The attack campaign, identified in January 2026, represents one of the most significant waves of coordinated web server compromises in recent months, affecting hundreds of online stores across different regions and industries. Oasis Security analysts identified multiple independent intrusion incidents where different threat actors exploited CVE-2025-54236 against Magento environments across various geographical regions, demonstrating widespread knowledge and weaponization of this flaw. The research team discovered that attackers had scanned for vulnerable systems on a massive scale, identifying over 1,000 vulnerable Magento APIs and successfully compromising 200 websites with root-level administrative access.
Infection Mechanism
Once attackers gained initial access through session hijacking, they escalated their privileges to obtain root access, the highest level of system control on Linux servers. This persistence tactic allowed them to deploy web shells, which are small scripts that grant attackers remote command execution capabilities for ongoing system manipulation and data theft. Evidence shows that compromised systems contained sensitive files displaying system user accounts and credentials, indicating thorough system exploration and potential data exfiltration.
The investigation uncovered command and control infrastructure operating from Finland and Hong Kong, with separate threat actors conducting web shell deployment operations specifically targeting Magento sites in Canada and Japan. The attackers maintained detailed logs of compromised websites and deployed shell paths, demonstrating organized operational security and systematic targeting strategies.
Mitigation Measures
Organizations running Magento must immediately patch this vulnerability and audit their server logs for suspicious session token usage. The widespread nature of this campaign underscores the critical importance of timely security updates and continuous monitoring of e-commerce platforms hosting valuable customer data and payment information.
